Thursday, 22 August 2013

The Information Commissioner's Office has
just published an extremely interesting document showing that it could be
having a record year. A record year in terms of staff turnover, that is.A paper prepared for last month’s meeting of
the ICO’s Management Board suggested that the current trend, based on the first
quarter’s figures, was for 19% of staff to leave the organisation by the end of
the current financial year.

Given that
the 2012-13 actual staff turnover was just 7.7%, should this be of much
concern?

Hopefully,
the staff turnover stats for the first quarter of the current year (4.7%) were
just an aberration.And there are plenty
of people left – the ICO does have a staff of some 395 (or 363.6 when you count
them in terms of full time equivalents).Staff levels do not appear to be reducing.

Perhaps
there are good reasons for such a high turnover rate in such a fine
organisation. It’s not as a result of much internal disciplinary action. The
ICO has only conducted 7 discipline, dignity at work and grievance cases since
April 2012. It’s obviously a nice place to work, and packed with people who are
nice to each other. It’s also quite a healthy environment. Only 5.46 days a
year are lost to sickness, compared with the civil service average of 8 days a
year.

Perhaps more
data controllers are realising that they need people who have some hands-on
experience of this data protection stuff, and because practitioners are quite
thin on the ground, they want people with intimate knowledge of what it as that
regulators are really concerned about, so that they can fix those areas of
their businesses, first.

Perhaps the
local economy is picking up, and some of “Wilmslow’s finest” are being tempted
away by employers who can offer better packages than the ICO can. It can’t be pleasant
commuting to such an exclusive area, past estate agents and car showrooms that
advertise homes and vehicles so far beyond the price range of the average ICO
employee.

But people
do still want to work at the ICO. Some 213 applicants responded to some 25
recruitment campaigns, and 55 interviews were held during the first quarter.

Perhaps part
of the answer is the changing nature of the ICO’s work. Fewer staff are
required to help organisations register their details and pay their fees, and
people with different skills are required in the policy, audit and enforcement
teams.

So, a
possible (but, presumably, unlikely) 19% staff turnover rate need not be a
cause for undue concern for those of us who are interested in what emerges from
the ICO. Essential posts can still be filled when the incumbent leaves. And if
Parliament wishes to question the effectiveness of the organisation, it needs to ask itself whether it allocated sufficient resources to the ICO in the first
place.

After all, the
revamped financial regulator, the Financial Conduct Authority, has apparently increased
its funding requirements by 15% to £432.1 million, following the disbanding of
the Financial Services Authority earlier this year.

If it costs
that much to regulate the UK’s financial services industry, is it really the
case that the ICO can properly regulate all 372,369 organisations who have
registered as data controllers, and also to supervise the FOI landscape, on a
budget of just £20 million? That’s less than one twentieth (4.6%) of the FCA’s
budget.

Wednesday, 21 August 2013

If you
thought the Government wasn’t interested in updating its ability to use
communications data to fight terrorism and serious crime, think again. Although
there’s no sign of a publication date for a revised Communications Data Bill, the
Home Office is currently advertising for a senior bod to help run it's Communications Capabities Development Programme. They’re even prepared to pay
the lucky person up to £117,800. So, the successful applicant had better be
good.

What’s the
role?

Well,
reporting to the Programme Director, someone is needed: “to provide
leadership of the business change and associated training aspects of the CCD
programme, working in partnership with a wide range of stakeholders including
all UK Police forces and the College of Policing.” They must have: “credibility to effectively
represent the views of a complex and diverse stakeholder community and operate
in an environment where there have been complex partnerships, with competing
and sometimes conflicting priorities.”

The job spec comments that: “this is a challenging role given the complexity of
the environment, ongoing changes in telecommunications technologies and
services, and changes in policing.” I’m surprised the job spec didn’t also refer
to the challenges faced by the current political environment, where politicians
are keen to be seen to be supporting the law enforcement community, but not at
the expense of removing any fundamental rights from citizens.

Whoever takes on this task will have to be a master of many skills. They’ll be
responsible for:

• Leading the business change and associated training aspects of the CCD
programme nationally.

• The development of the business change capability within the CCD Programme
and across the stakeholder community, including all UK Police forces and the
College of Policing.

• Providing operational community subject matter expertise.

• Ensuring collaboration and communication across the CCD Programme themes in
business change.

• Accountable for the budget spend on all business change activities delivered
through the CCD Programme.

• Ensuring Programme benefits are delivered within the stakeholder community
and monitored.

Note all the references to the “stakeholder community”. But who
comprises this community? Is it the law enforcement community, together with
the communication and internet service providers whose communications records
play such a vital role in the process? Or does it also include politicians, journalists,
representatives of civil society, other opinion formers and those oiks like you
and me, whose communications records also play a vital role in the process? Don’t
ask me. I’m not sure.

Feeling excited about this great opportunity?

Feel the need to lead?

If you’ve got what it takes, then you had better contact the Home Office
quickly.The closing date is 27 August
(just after the forthcoming bank holiday).

Tuesday, 20 August 2013

It’s reassuring
to realise that as the UK an awful lot of CCTV systems, we have a range of Commissioners
who are tasked with regulating aspects of them.

It’s less reassuring
to realise that these Commissioners have slightly different powers, and
overlapping jurisdictions. If you need any enforcement done, then the ICO’s your
man. If, however, you’re after a current list of approved
which standards may apply to the system functionality, the installation and the
operation and maintenance of a surveillance camera system, then the
Surveillance Camera Commissioner will show you his list. He can also provide guidance
on the bodies that are able to accredit performance against such standards. And
the Chief Surveillance Commissioner is always available to advise if the CCTV
systems get anywhere near the domain of covert surveillance.

Got it?

And each CCTV system is supposed to be reviewed each
year.

Principle 10 of the recently published Surveillance
Camera Code of Practice requires that “There should be effective review and audit mechanisms to
ensure legal requirements, policies and standards are complied with in
practice, and regular reports should be published.”

The Code
goes on to explain that: "Good practice
dictates that a system operator should review the continued use of a surveillance
camera system on a regular basis, at least annually, to ensure it remains
necessary, proportionate and effective in meeting its stated purpose for
deployment." [4.10.1]

The code also explains that: "A system
operator should make a summary of such a review available publicly as part of
the transparency and accountability for the use and consequences of its
operation." [4.10.4]

Aficionados of the odd FOI request will be
delighted to think that there is yet another reason will be able to flood
public authorities with a tusamni of requests, giving public officials lots more
work to do. Just how they will be able
to meet their obligations, in the face of heroic budget cuts, is not a matter
for discussion today.

But.

The British Security Industry Association estimates
that here are between 4 million and 5.9 million cameras in the UK today, and
only 1 in 70 of them are controlled by local government.

So, will there be many annual reviews carried
out on the vast majority of cameras, which are actually controlled by the
private sector?

To be honest, I doubt it. Even though the ICO’s
own CCTV Code also recommends annual reviews (and has done so for a very long
time).

If responsible private sector data
controllers did want to carry out an annual review and needed help in knowing
what it was they were supposed to be reviewing, help is at hand. Not only from
yours truly, but also from the ICO, who has helpfully prepared an annual check
list for smaller data controllers. Thankfully, this check list isn’t one of
those awfully complicated documents that take forever to complete. It’s very
simple, actually.

I would offer a prize to the first reader who
tells me where the check list can be found on the ICO’s website. But I can’t, as
all my spare bottles of scotch prizes have recently been offered to my chums at RBS.

If I were you, I would get reviewing. You
never know when the ICO might come along to check whether anyone has done their
annual CCTV homework.

Sunday, 18 August 2013

I made a silly
mistake when posting a blog entry recently, and accordingly offer an unreserved
apology to all my chums at the Royal Bank of Scotland.

What happened?

Well, I was so
taken with the story that the ICO had fined the Bank of Scotland £75,000 for continually faxing various documents to two
wrong numbers that I blogged about it. Nothing wrong with the text. But there
was something wrong with the accompanying image – which was of the logo of the Royal
Bank of Scotland, rather than the Bank of Scotland. Oops. My lack of knowledge of the Scottish
banking scene shines through. I ought to have known that there was a Bank of
Scotland, as well as a Royal Bank of Scotland. But if I did, in the heat of the moment in
searching for an appropriate image, I forgot. A more appropriate image (the logo of the Bank
of Scotland) accompanies that blog posting, now.

My mistake came at
a useful time- if any time can be
considered “useful”, that is. I recently had lunch with a chum had experienced
the age-old problem of an inappropriate email having being sent to the wrong
address. No harm was done, and the incident was quickly contained. The recipient
destroyed their copy without forwarding it to anyone else. The sender was just
glad that no incriminating photos accompanied the informal “how nice it was to
meet you last night” note. My chum was extremely embarrassed about the incident – but we
agreed that it did serve as a reminder about how careful we need to be when
communicating anything, these days. It’s so easy to hit the “send” button
without checking absolutely everything. Even
now I cringe as I remember some of the typos that were not spotted and still
exist in documents I’m associated with that are now in the public domain.
Fortunately, most of these documents are evidently so boring that few people
have noticed the typos. Of if they have, they have (mostly) been too busy to tell
me.

I’m glad that,
in this case, my chums at RBS got in touch to tell me about my howler,
so that I could correct it. It would have been equally nice if someone at the Bank
of Scotland had pointed out that I had used someone-else’s logo in relation to “their” story – but never mind.
We all do the best we can. We all make mistakes, too – but hopefully we can
cheerfully correct those that are notified to us, and hope that no offence is
taken by our lack of diligence.

One of the first
times I can remember the names of institutions getting mixed up was during the
wonderful “Children’s Matinee at the Coliseum” scene in the 1979 movie Life of
Brian. Devotees of the film will remember the following exchange taking
place:

Friday, 9 August 2013

Telephone intercepts can sometimes end up in the wrong
hands. And, occasionally, technical difficulties mean that only one side of the
conversation is intercepted.

What might have happened if an intercepted conversation like
this had been made public by Wikileaks, or some other group that leaks official
secrets to the public at large?

Hi, is that the ICO’s Breach Notification Department? It’s
Maud at the Serious Fraud Office. We’ve had a bit of an incident over here, and
our interim Data Protection Officer thought you might want to know. It’s all a
bit hush hush – so you mustn’t tell anyone else about it.

What? Dunno how it happened. Probably some kid on work
experience got carried away with the address labelling machine in the post room,
and stuck the wrong address labels on some boxes.

How many boxes did you say? Dunno. Enough to hold about
32,000 pages of documents, 81 audio tapes and a load of computer files.

When did it happen, did you say? Dunno. Probably last year between
May and October. We realised that
something was wrong about 3 months ago, and we think we’ve recovered about 98% of the
material. So we’re only short of about 1,600 documents, a
couple of audio tapes and a handful of computer files.

What were they about, did you say? Dunno – I haven’t read any
of them. They came from that team that carried out a 6 year investigation into
allegations that British Aerospace had paid bribes around the world to secure
lucrative arms contracts. You know, the one that ended with BAE paying out
almost £300 million in penalties. Yes, that was the one.

Who were they mistakenly sent to? I can’t tell you that. That’s
against data protection. These
recipients have got rights, you know.

Whattdya mean we’ve got to fill in a breach notification
form and you’ve going to start an investigation? We’re the ones that do the
investigating around here.

Civil Monetary Penalties? Are you mad? Do you think we’re
seriously gonna cough up simply because some prat stuck the wrong labels on
some bloody boxes? Don’t you know how many boxes there are, lying around our
post room? We deserve medals for making sure incidents like this don’t happen every
week. It’s not that serious, you know.
Nowhere near as serious as most of the crimes we’re trying to investigate.

Well, if you’re going to take that attitude, then there will
be a problem. All I was told to do was give you a quick call on the sly so you’ve
clocked that we’ve ticked the “no publicity” box for this incident. Stuff like
this is embarrassing. So keep it quiet, ok?

Whattdya mean it’s all over the papers today?

Bugger.

In that case, the SFO will revert to plan B. We’ve given you
an oral report of the incident. So what if it's 3 months late. If you want one in writing it’ll take us another 3 months – and by the time you guys have had satisfactory answers to every
point you raise it’ll be well into autumn 2014. By that time, hopefully some
other poor sod will have reported an even more newsworthy data breach, and the
heat will be off us. Oh, and our interim Data Protection Officer tells me we’re fast running out of money, so
there’s no hope of you slapping a huge fine on us for our sloppy data handling
standards. We’ve stopped school kids from getting work experience in the post
room, and that’s all that can be done right now. They’ve been reassigned to the typing pool, instead.

Oh, and don’t go around in public mouthing off about us or
telling everyone that you’re investigating us. There must be a law against
that, somewhere.

Section 59 of the Data Protection Act prevents the Information Commissioner or his staff from revealing what enforcement action they intend to take, until it has been
taken (unless the news is already in the public domain). So we can only dream
about what may happen.

Thursday, 8 August 2013

No sooner was yesterday’s list of the top 15 data protection
movers and shakers published than my inbox started to receive a host of
counter suggestions. Yes, there are many more people who deserve to be
recognised as having reached the pinnacle of the UK’s data protection establishment.

Accordingly, I’ve prepared a second list of other popular
nominations. The lucky nominees are, (mostly) in alphabetical order:

(1) Richard Allen, he of Facebook fame

(2) Emma Ascroft, Yahoo!’s european public policy director

(3) Heather Bignell-Blye at the Post Office

(4) Ruth Boardman of Bird & Bird

(5) Phil Booth, of the No2ID and mediconfidential campaign
groups

(6) Ian Brown of the Oxford Internet Institute

(7) Hugo Brown, whose new DP employment service could keep many
of us in gainful employment for years to come

(8) Virginia Chinda-Coutts of RSA

(9) Richard Cumbley of Linklaters

(10) Stephen Deadman, Vodafone’s privacy chief

(11) Dave Evans, formerly ICO cookie captain, now at Swiss Re

(12) Nick Graham, data supremo at Dentons

(13) Gus Hosein of Privacy International

(14) Julian Huppert MP, currently leading Lib Dem thinking on
privacy

(15) Rosemary Jay, currently at Hunton & Williams, author of
a best seller on data protection law

(16) Jim Killock, of the Open Rights Group

(17) Mita Mitra, BT’s data
protection thought leader

(18) Nicola McKilligan at Thomson Reuters

(19) Christopher Millard of Queen Mary College, Professor of Privacy
and Information Law at Queen Mary College

(20) Neil Patterson of Tesco

(21) Chris Pounder of Amberhawk Training, and an occasional FOI
requester. Surely the tallest data protection professional in the UK

(22) Suzanne Rodway of the Royal Bank of Scotland

(23) Richard Thomas, former Information Commissioner & the people’s choice for the next data
protection peer

(24) Ian Walden, Professor of Communications at Queen Mary College

And finally, surely no list could be complete without a special
mention being given to

Wednesday, 7 August 2013

Last night’s meeting of the Crouch End Chapter of the Institute for Data Protection went on for some time. But, as members
staggered out of the pub, they were clutching a document that, for once,
everyone could agree on. It contained a list of the top 15 movers and shakers
of the UK's data protection establishment.

These individuals will now be scrutinised by an executive
committee before a shorter list is announced in the autumn. The committee will
be empowered to make additional recommendations, if Google searches of the
current nominees reveal too much of a chequered past.

The ultimate mover and shaker, if a single name eventually
emerges from this process, will have the honour of adding this prestigious accolade
to their Linkedin profile, and the embarrassment of knowing that everyone else
will comparing their achievements to
others who, in their view, have achieved more than our illustrious winner.

So, in (mostly) alphabetical
order, the top 15 movers and shakers are:

(1) Bojana Bellamy, shortly to become President of the Centre
for Information Policy Leadership at Hunton & Williams, who will always grace a
reputable conference platform.

(2) Robert Bond, Speechly Bircham, for his pioneering work about
how children use the internet.

(3) John Bowman, our man from the Ministry of Justice, determined
to persuade his EU chums of the importance of focussing on outcomes, rather
than processes.

(5) Stephen McCartney, always trying so hard to keep Google in
the ICO’s good books.

(6) Nick Pickles, Director of BigBrotherWatch, who can always be
relied upon to release a pithy press statement that queries some aspect of the
surveillance state.

(7) Tim Pit Payne QC, frequently seen at the Information Rights
Tribunal either supporting or opposing whatever the ICO has recently decided. Based
at 11 Kings Bench Walk.

(8) Anya Proops, barrister, often appearing at the Information
Rights Tribunal arguing against Tim Pit Payne, so either opposing or supporting
whatever the ICO has recently decided. Spookily, also based at 11 Kings Bench
Walk.

(9) Stewart Room, FFW, mostly in the thick of it, advising
clients whose data handling standards have come to the attention of the folk in
Wilmsow.

(10) Melanie Shillito, Promontory, one of the powerhouses behind
the Data Protection Forum.

(13) Mark Watts, Bristows, aching to defend his clients against
any unfair whims of the regulator.

And, of course:

(14) Christopher Graham and (15) David Smith, also known as the 'Ant & Dec of
the ICO.' These cheeky chappies will continue to appear at conference venues
near you, amusing and delighting audiences with their insights about what’s really
going on in the world of data protection.

Note:

Regular readers are welcome to nominate other outstanding individuals by writing to me at the usual address. I'll pass them to the executive committee for further scrutiny.

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.